First
Previous
3. Managing Networks To Stop Spam
Stopping Spam: Creating a Stronger, Safer Internet
Report of the Task Force on Spam
May 2005
The Challenge
Any measure aimed at successfully protecting the security of Internet communications from threats such as spam, viruses and spyware must involve more than government actions. There is consensus among stakeholders on a number of steps that can be taken by ISPs and other network operators (e.g. large enterprise users, universities, government departments) to build trust in Internet communications.
Some of these initiatives relate to the development and application of technology. Others relate to the implementation of best practices within the industry, including Acceptable Use Policies that prohibit spamming. All of these industry initiatives are based on a common goal: ensuring that email remains a viable tool for legitimate business and personal communications.
By its design and architecture, the Internet is an open network of networks that allows the free flow of information. The redesign and implementation of technical standards to enhance security and curtail abuse will be ongoing over many years.
There are, however, a number of known practices that permit spam and other forms of network abuse to happen. These include leaving servers open to relay and forward messages, thereby allowing computer systems to be hijacked as proxy email servers for abusers. Some steps have been taken by several organizations to warn businesses and network managers about the importance of securing systems and networks, but adoption of these practices remains uneven.
While the problem of spam, like the Internet itself, is global in scope, network-management actions taken in Canada can contribute to the solution. Those who own and manage networks and facilities must address and adopt management practices that will effectively reduce and control spam and related threats.
Canadian industry stakeholders have the ability to agree on basic operating practices for network facilities that will reduce spam, and can show leadership by requiring the adoption of these practices on networks and facilities based in Canada.
Task Force Actions
The Task Force on Spam represents the first-ever collaborative, concerted effort involving a broad range of organizations, including most of the country's largest and smallest broadband and dial-up ISPs, other network operators, large enterprise users, software developers, anti-spam advocates and government. The agreement by these stakeholders to work together to develop and implement industry-wide spam solutions is an important step forward. However, it is only the beginning of a long-term commitment to taking the actions necessary to stop spam.
Box 3: Recommended Best Practices for Internet Service Providers and Other Network Operators
- All Canadian registrants and hosts of domain names should publish Sender Policy Framework (SPF) information in their respective domain name server zone files as soon as possible.
- ISPs and other network operators should limit, by default, the use of port 25 by end-users. If necessary, the ability to send or receive email over port 25 should be restricted to hosts and the provider's network. Use of port 25 by end-users should be permitted only on an as-needed basis, or as set out in the provider's end-user agreement / terms of service.
- ISPs and other network operators should block email file attachments with specific extensions known to carry infections, or should filter email file attachments based on content properties.
- ISPs and other network operators should actively monitor the volume of inbound and outbound email traffic to determine unusual network activity and the source of such activity, and should respond appropriately.
- ISPs and other network operators should establish and consistently maintain effective and timely processes to allow compromised network elements to be managed and eliminated as sources of spam.
- ISPs and other network operators should establish appropriate intercompany processes for reacting to other network operators' incident reports.
- ISPs, other network operators and enterprise email providers should communicate their security policies and procedures to their subscribers.
- ISPs and other network operators should implement email validation on all their Simple Mail Transfer Protocol (SMTP) servers (inbound, outbound and relay).
- Non-delivery notices (NDNs) should only be sent for legitimate emails.
- ISPs and other network operators should ensure that all domain names, Domain Name System (DNS) records and applicable Internet protocol (IP) address registration records (e.g. WHOIS, Shared WHOIS Project [SWIP] or referral WHOIS [RWHOIS]) are responsibly maintained with correct, complete and current information. This information should include points of contact for roles responsible for resolving abuse issues including, but not limited to, postal address, phone number and email address.
- ISPs and other network operators should ensure that all their publicly routable and Internet-visible IP addresses have appropriate and up-to-date forward and reverse DNS records and WHOIS and SWIP entries. All local area network (LAN) operators should be compliant with Request for Comments (RFC) 1918 — "Address Allocation for Private Internets." In particular, LANs should not use IP space globally registered to someone else, or IP space not registered to anyone, as private IP space.
- ISPs and other network operators should prohibit the sending of email that contains deceptive or forged headers. Header-tracing information should be correct and compliant with relevant RFCs, including RFC 822 and RFC 2822; and reference domains and IP addresses should have up-to-date, accurate registration information.
Recommended Best Practices for Internet Service Providers and Other Network Operators
The Task Force has developed a set of recommended technical best practices intended to help reduce spam in Canada. Box 3 above presents the highlights of that document. The adoption of these practices will also address spam-related security issues, since spam is often the vehicle for more harmful activities. The practices represent a continuation of efforts and progress that have been under way for some time in Canada and internationally. The Task Force has advanced this work to establish the first truly national consensus on recommended technical measures for combatting spam. Through these best practices, Canada has a model to share internationally in the global fight against spam. However, it will be important to continually update these best practices to reflect the continuing evolution of spam trends and techniques.
The full text of the best practices recommended by the Task Force is presented in Appendix B.
Measuring Implementation and Impact
A substantial number of Canadian ISPs, including many of the major players and other network operators, have started to implement some or all of the recommended technical practices, particularly by blocking port 25 and upgrading their filtering techniques.
The experiences of other countries have shown that ISPs themselves, particularly market leaders, can do much to spread the adoption of anti-spam technical and business best practices throughout the industry. The leadership already shown by some Canadian ISPs in implementing the recommended best practices has been instrumental in encouraging other ISPs to do likewise.
While this is an encouraging beginning, it will clearly be necessary to systematically monitor the implementation of the recommended best practices, in order to assess their impact and identify any new problems that may need to be addressed through amendments or additions to the best-practices provisions. If this is not done, it will be difficult for industry, government policy-makers and other stakeholders to determine the level to which industry has adopted the recommended best practices, or to measure their effectiveness in the fight against spam.
In the spirit of industry self-regulation, the Task Force encourages the major players in the ISP and network-operator communities to continue to show leadership in implementing the recommended best practices, and to encourage others to follow their example.
The Task Force also calls on the major players and relevant industry associations to play an active role, together with the coordination body described in Chapter 7, in helping develop an effective system for measuring and publicly reporting on the impact of the recommended best practices.
Canadian Spam Database ("Spam Freezer")
The Task Force on Spam evaluated the idea of establishing, under a public-private sector partnership, a Canadian spam database, or "Spam Freezer," similar in design to the "Spam Fridge" maintained and monitored by the U.S. Federal Trade Commission (FTC).
The objective of a Canadian database would be to provide a repository to which email users could send copies of spam received in their computer mailboxes. Spam messages sent to the database would be inventoried and kept for a prescribed period of time by a Canadian organization with central coordinating responsibility in the fight against spam.
The database would provide an opportunity for law enforcement agencies from Canada and possibly other countries, ISPs, other network operators and various levels of government to access data that could be used for statistical analysis and to gather evidence for anti-spam enforcement activities.
Internet Email Spam Over Wireless Devices
Unlike the Internet, which developed as an open, public network, mobile technologies were originally deployed on closed, private networks.
Convergence of technologies and increased interaction between the Internet and mobile technologies, however, mean that some of the problems that originally affected the Internet are beginning to affect mobile networks. This can happen when people use wireless devices to retrieve email, including spam, from their ISPs. It can also happen when people begin to receive new forms of spam originated on wireless networks and transmitted through mobile-phone text messaging (i.e. SMS), multimedia messaging and instant messaging services. These kinds of messaging services have become successful applications of mobile technology. They provide a host of possibilities for developing innovative services, but also give spammers new opportunities.
"Mobile" or "wireless" spam is potentially more problematic than spam sent to desktop computers, since wireless spam follows the customer and since, in some cases, customers pay a fee per message received. Wireless spam is a major annoyance to wireless subscribers, and can potentially be much more intrusive than spam sent to a personal computer.
The Task Force consulted with the Canadian wireless industry to discuss this issue and explore what might be done to prevent spam from becoming a major problem on wireless networks. Through these discussions, the Task Force learned that spam originating on wireless networks is perceived as a serious threat by wireless-network operators. The wireless industry is implementing technical measures to protect its customers from wireless spam, and is also considering legal and regulatory remedies that could help prevent wireless spam.
Both the Task Force and wireless-industry representatives recognized that the anti-spam solutions adopted by the federal government and other stakeholders as a result of the Task Force's work and recommendations should be technology neutral, and applied to the wireless industry through the appropriate mechanisms.
Sharing Technical Information Among Internet Service Providers and Other Network Operators
Although industry has done a lot of good work to fight spam, and has reported some significant improvements as a result of these efforts, much remains to be done in terms of collaboration.
Key to success will be ISPs and other network operators' continued improvement of the sharing of spam-related information. To succeed in the fight against spam, it will be very important for ISPs and other network operators to deal with issues in a concerted way by communicating quickly and effectively on issues and problems of common concern, and by establishing appropriate intercompany processes to respond to incident reports.
Recommendations
ISPs and other network operators are on the front lines in the fight against spam. As the point of contact between those who originate spam and those who receive it, they are uniquely positioned to fight spam.
We therefore recommend the following:
Recommendation 8:
ISPs and other network operators should implement the best practices recommended by the Task Force on Spam.
Recommendation 9:
ISPs and other network operators, in cooperation with the coordination body established by the Minister of Industry (pursuant to Recommendation 5), should, on an ongoing basis, measure the scope of the spam problem in Canada and assess the impact of the recommended practices. They should continue to identify issues that may require further study, with a view to developing additional recommendations.
Recommendation 10:
To assist in the ongoing monitoring of spam trends and the continued development of anti-spam measures and techniques, the federal government should lead in establishing a Canadian spam database (i.e. the "Spam Freezer").
Recommendation 11:
ISPs and other network operators should adopt and enforce Acceptable Use Policies (AUPs) that clearly prohibit spamming activities on their networks.